Potential security issue with GroupWise WebAccess 6.0 and 6.5

  • 10091330
  • NOVL95659
  • 17-Feb-2004
  • 08-Mar-2004

Fact

Apache Web Server 1.3x for NetWare

Novell GroupWise 6

Novell GroupWise 6 WebAccess

Novell GroupWise 6.5

Novell GroupWise 6.5 WebAccess

Novell NetWare 6.0

Symptom

Potential security issue with GroupWise WebAccess

Cause

Novell has identified an issue with the default configuration of GroupWise 6 and 6.5 WebAccess that could allow unauthorized access to the WebAccess server.  This issue affects only systems running GroupWise 6 or 6.5 WebAccess on NetWare using the Apache 1.3x web server and where Apache is loaded using the GWAPACHE.CONF file.  Customers using a different web server (such as Novell Enterprise or Apache 2) should not be affected.

Fix

To prevent unauthorized access to a GroupWise WebAccess server, you can edit the permissions section of the GWAPACHE.CONF file just under where the DocumentRoot is specified:

By default, that section reads:

# First, we configure the "default" to be a very restrictive set of
# permissions. 
#
<Directory "/">
    Options FollowSymLinks
    AllowOverride None
</Directory>

That section should read:

<Directory "/">
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    deny from all
</Directory>

To resolve this issue, you can perform a full installation of the most recent field-test file for 6.5 SP2 WebAccess (FWA652E.EXE or later), which is available from https://support.novell.com/filefinder